netcat mods

[wick2o]

According to http://virusscan.jotti.org/ it bypasses all buy AntiVir. I have also tested with the latest version of norton.

I just got sick of AV's removing my netcat from my usbkey. I'd love to upload my patch, but exe files seem to be rejected. PM me if your interested, or if you have a place it can be uploaded for and then linked to.

<edit>

I have uploaded the file to rapidshare. Click Here

In short, I added a NOP in the sig for norton, and then encrypted the rest of the .text section with a VERY simple xor script to hide it from the rest. There are a few anti-virus programs that appear to use the .data section in their sig, still working on encrypting that without destroying the programs functionality.

</edit>

[coyotepedia]

I don't know about Norton, but it certainly gave my copy of AVG fits. Too bad, since I've had the same problem with losing things from my USB key.

[SomethingToChatWith]

Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it.

[Iain]

Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it.

I'm amazed that such a simple tweak works to prevent AV doing it's "thing". I was under the impression that AV looks at data within the file (as a signature), rather than simply the file extension.

[sablefoxx]

Mirror: http://dl.getdropbox.com/u/341940/netcat-patch.rar

Netcat + Source: http://dl.getdropbox.com/u/341940/netcat.rar

(Yay no rapid share)

[SomethingToChatWith]

It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location.

[Zaitsevs]

I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir.

[wick2o]

I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir.

Thats great until you want to run your tools on another computer.

[SomethingToChatWith]

Here's another idea. See if you can fool it by having it in a zip or cab file and than just copying out the programs when you need them. You might be able to run them from zip/cab if you're lucky, but don't be suprised if it doesn't.

[Webhostbudd]

It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location.

Most antiviruses with real time protection and even on demand scanners, scan by file extension. Basically if you make it a random extension that the AV has no clue about, it will not scan for it. I believe this is to speed up time on the AV's part. If you do an on demand scan of the specific file(even with the extension changed), it will most likely remove it.

[SomethingToChatWith]

Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean:

I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file.

[DingleBerries]

Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean:

I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file.

your virii protection is shit then.

[Webhostbudd]

^ Agreed

[SomethingToChatWith]

Well actually, I havent put this to practice for myself. I usually just rename the files as suggested before.